AWS Key Components • Project Workflow • Pricing • Blueprints • Further Improvements • References • Contribute
Each project code leverages these AWS services through Terraform to create an automated deployment pipeline for your application, ensuring scalability, reliability, and security throughout the process.
- Amazon Virtual Private Cloud (VPC): Is a secure, isolated private cloud hosted.
- Amazon Subnets: Public and private subnets within the VPC for isolating resources based on security requirements.
- Amazon Internet Gateway (IGW): Provides internet connectivity to instances in the public subnets.
- Amazon NAT Gateway: Enables instances in the private subnets to initiate outbound traffic to the internet while preventing incoming connections.
- Amazon Security Group (SG): Defines inbound and outbound traffic rules to control network access to instances.
- Amazon Application Load Balancer (ALB): Distributes incoming application traffic across multiple targets, such as Amazon ECS containers.
- Amazon ECS Cluster: Manages containers using the AWS Fargate launch type, abstracting the underlying infrastructure.
- Amazon ECS Task Definition: Specifies the parameters for running containers within an Amazon ECS service.
- Amazon Elastic Container Registry (ECR): A fully managed Docker container registry that stores, manages, and deploys container images.
- Amazon IAM Roles and Policies: Define permissions for different services, allowing them to interact securely.
Each project represents a Continuous Deployment to AWS Fargate from GitHub using Terraform:
- VPC and Networking: Create a VPC with specified CIDR blocks, public and private subnets across availability zones, an IGW for public subnet communication, configure NAT Gateway for private subnet outbound communication and set up route tables for public and private subnets.
- Security Group: Create a security group for the ALB. Allow incoming traffic on ports 80 and 5000 for the ALB. Allow all outbound traffic.
- Application Load Balancer (ALB): Create an ALB with specified attributes and subnets and set up ALB target groups and listeners.
- Amazon ECS Cluster and Task Definition: Create an ECS cluster, define an ECS task definition for the application, configure the container definition for the Flask app, an IAM policy for ECS task execution.
-
Billing is based on the cost of the underlying
EC2 instances
. -
This allows you to optimize price by taking advantage of billing models such as:
-
spot instances
(bid a low price for an instance) -
reserved instances
(get a flat discount for committing to an instance for a certain period). -
However, it is your responsibility to make sure that your containers are densely packed onto instances to get the best use out of them, otherwise, you will be wasting money.
-
Billing is based on how many
CPU
cores, and gigabytes ofmemory
your task requires, per second. -
You only ever pay for what your task uses, no more paying for EC2 capacity that goes unused.
https://github.com/juanroldan1989/deploy-ecs-blueprint/tree/main/1.ecs-ec2-nginx
https://github.com/juanroldan1989/deploy-ecs-blueprint/tree/main/2.ecs-fargate-nginx
https://github.com/juanroldan1989/deploy-ecs-blueprint/tree/main/3.ecs-fargate-nginx-flask
- 🟡 Pipeline integrated within
Github Actions
- work in progress - 🟢 Infrastructure provisioned through
Terraform
- 🟡
Terraform
State stored inS3
- work in progress - 🟢 Load Testing performed through
wrk
tool on endpoints
https://github.com/juanroldan1989/deploy-ecs-blueprint/tree/main/4.ecs-fargate-nginx-flask-db
- 🟡 Pipeline integrated within
Github Actions
- work in progress - 🟢 Infrastructure provisioned through
Terraform
- 🟢
MariaDB
database instance added within ECS Fargate Task. - 🟡
Terraform
State stored inS3
- work in progress - 🟢 Load Testing performed through
wrk
tool on endpoints
- Changes are pushed into
main
ordevelop
branch. ECR
is created if it doesn't exist already.
resource "aws_ecr_repository" "image_repo" {
name = var.name
image_tag_mutability = "IMMUTABLE"
encryption_configuration {
encryption_type = "KMS"
kms_key = aws_kms_key.custom_kms_key.arn
}
image_scanning_configuration {
scan_on_push = true
}
}
- Docker
build
is triggered. - New Docker image/s is/are
tagged
andpushed
. - Docker images are scanned:
-
Trivy Trivy checks for known vulnerabilities in the container image, scanning OS packages and application libraries. The workflow fails if HIGH or CRITICAL vulnerabilities are detected.
-
Dockle Dockle checks if the Dockerfile follows best practices. It verifies that the container is not running as root, ensures there are no unnecessary files or directories, and more.
- Infra Costs analisis is provided within
Pull Request
- https://github.com/kunduso/add-aws-ecr-ecs-fargate/blob/main/.github/workflows/terraform.yml#L70
- https://github.com/infracost/actions/blob/master/README.md
terraform apply
command is triggered using newIMAGE_TAG
- https://skundunotes.com/2024/05/06/continuous-deployment-of-amazon-ecs-service-using-terraform-and-github-actions/
https://github.com/kunduso/add-aws-ecr-ecs-fargate/blob/main/deploy/backend.tf
terraform {
backend "s3" {
bucket = "ecs-app-XXX"
encrypt = true
key = "terraform-state/terraform.tfstate"
region = "us-east-1"
}
}
-
For this section I'm interested in implementing a module to "trigger chaos on command".
-
This way it'd be possible to test how each application reacts and recovers from failure scenarios.
- https://spacelift.io/blog/terraform-ecs
- https://github.com/docker/awesome-compose
- https://medium.com/aws-arena/aws-fargate-chaos-monkey-78faa8923af6
Got something interesting you'd like to add or change? Please feel free to Open a Pull Request
If you want to say thank you and/or support the active development of ECS Deployment Blueprint
:
- Add a GitHub Star to the project.
- Tweet about the project on your Twitter.
- Write a review or tutorial on Medium, Dev.to or personal blog.